In order to make the password validation, this constraint doesn't send the raw
password value to the haveibeenpwned.com API. Instead, it follows a secure
process known as k-anonimity password validation.

In practice, the raw password is hashed using SHA-1 and only the first bytes of
the hash are sent. Then, the haveibeenpwned.com API compares those bytes
with the SHA-1 hashes of all leaked passwords and returns the list of hashes
that start with those same bytes. That's how the constraint can check if the
password has been compromised without fully disclosing it.

For example, if the password is test, the entire SHA-1 hash is
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 but the validator only sends
a94a8 to the haveibeenpwned.com API.

When using this constraint inside a Symfony application, define the
not_compromised_password
option to avoid making HTTP requests in the dev and test environments.

When the HTTP request made to the haveibeenpwned.com API fails for any
reason, an exception is thrown (no validation error is displayed). Set this
option to true to not throw the exception and consider the password valid.

This value defines the number of times a password should have been leaked
publicly to consider it compromised. Think carefully before setting this option
to a higher value because it could decrease the security of your application.